Blog Post

A Privacy Manifesto for the Web 2.0 Era

Written by Alec Saunders, co-founder and CEO of iotum, creators of the first conference calling service for Facebook. Alec’s personal blog is about VoIP and web products, technologies and businesses.

In October, Verizon revealed that it would share customers’ calling records, including numbers of incoming and outgoing calls and time spent on each call, with third parties. Customers were informed that they could opt out of the new practice by telephoning a 1-800 number within 30 days of having received notification from Verizon; failure to object was deemed by the company to be consent.

An ongoing practice of credit agencies is to charge consumers to see their own credit scores. Transunion, for example, charges a whopping $14.95 for a basic credit report.

In early January, Robert Scoble attempted to liberate his social graph from Facebook via the use of a prohibited automated script provided by Plaxo, prompting the social networking site to ban him. He was reinstated after the ban provoked a blogstorm. Scoble’s explanation boiled down to “What? I was just trying to migrate my social graph to another network…shouldn’t that be allowed?”

These three points highlight the disregard many corporations have for customers’ privacy. Corporations collect vast amounts of data, assert ownership over the data they collect, restrict access by customers to their own data, and cavalierly exchange that data with third parties. The misunderstanding of the basic guarantees corporations should offer is profound, and as consumers we all suffer.

Let’s start by defining what we mean by personal information. Personal information includes any factual or subjective information, recorded or not, in any form, about an individual. For example: name, address, telephone number, gender, identification numbers, income, blood type, credit records, loan records, existence of a dispute between a consumer and a merchant — even intentions to acquire particular goods or services. And let’s not forget health, medical history, political opinions, religious beliefs, trade union membership, financial information and sexual preferences!

Now, what rights should you have? Here are four principles that form a Privacy Manifesto for the Web 2.0 Era.

1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn’t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer’s hard disk without the customer’s consent.

2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it’s incumbent upon the corporation to obtain the consent of customers in advance.

3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer’s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation’s database.

4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to.

Viewed through the lens of these four principles:

Verizon should have asked customers’ permission before sharing their information, and should have assumed that permission was denied until informed otherwise.

Credit agencies should, upon request, share an individual’s information with them; should require consent from the individual before sharing their information with a third party; and should allow an individual to opt out of the credit reporting processes altogether.

Facebook comes up smelling like a rose. The guarantee that they made to their users was that they wouldn’t share personal information with third parties. Facebook banned the use of automated scripts to prevent that information from being taken from the site. And Facebook explicitly recognizes in their terms of service that a user’s personal information is owned by the user, not Facebook, and the company is merely a licensee.
Facebook’s privacy policy, however, contains a paragraph allowing them to unilaterally change the promises they make to their customers. Facebook should remove these weasel words.

Plaxo’s role in the Scoble incident is both surprising and disappointing. The company has one of the best privacy policies on the web today. However, it’s also seeking to advance an agenda that would create an open social graph with CTO Joseph Smarr’s Bill of Rights for Users of the Social Web, which is the source of the conflict. Surely the Plaxo team can see how Facebook couldn’t permit such a flagrant abuse of its terms and conditions. While one can make a good case that the social graph should be open, given Facebook’s current terms, opening that social graph should only be done with the consent of the owners of that data – Facebook’s users.

In many parts of the world, governments are now creating legislation embodying the four principles of this Privacy Manifesto. Citizens of those countries have responded favorably, rewarding businesses that assure their privacy, and penalizing those that don’t. In Canada, for example, personal information is protected by something known as the Personal Information Protection and Electronic Documents Act (PIPEDA) and as a result, it’s not unheard of for customers to patronize businesses that store their data locally. Many Europeans are equally sensitive.

Not only are the four principles of the Privacy Manifesto good for individuals, they’re good for business.

62 Responses to “A Privacy Manifesto for the Web 2.0 Era”

Hi.
This is all very interesting, having just watched a UK program about Facebook and issues with it. It was interesting to see Mark Zuckerberg say to journalists when asked what he thought users would think about about their new Ad system and the ability to target users, He simply said it(facebook) is an Ad driven service and users will have to put up with it..

They may not share the info but they will let you mine it and give you the users that fit the profile you want..
Personally I smell greed, and an acceptance that not all things last forever.

My apologies – I was not referring to your post as a “rant” – I was making a more general statement referring to the many other blogs and posts that pop up around the issue of online privacy – not your Manifesto. Also, to be clear, I think that I was agreeing with the conceptual framework underlying your Manifesto (notice, choice, etc.) – I just prefer the simplicity of the accepted framework to the creation of a new Manifesto.

I share your passion and desire to do something for consumers. I also appreciate your willingness to be out in front on the issues. It can be daunting (you get random comments that seem to be mostly complaints!). As the Chief Privacy Officer at WhitePages.com, I certainly have my share of concerns regarding privacy. Let’s keep the discussion going and see what we can do!

Good post Alec, I’m not sure I agree about the Plaxo incedent, if you see the script as an extension of
the user, then he gave permission for his data to be used in that way and facebook should have allowed it.

The UK Data Protection Act explicitly talks about movement of data as well as collection/usage.

It’s true I’m a relative newcomer to privacy issues. I only started seriously examining them two years ago in the context of what we had to do in order to make iotum (my company) comply with Canadian and European privacy legislation. Unlike the United States, privacy isn’t an optional feature in this country. It’s the law. The principles I’ve posted here, and the definition of personal information are a distillation of Canadian legislation. I didn’t pull these out of the air, but I did work them into a document that could be easily understood by anyone. And because there isn’t legislation to govern these things in the US, I wrote them as a statement of rights that consumers should demand from the companies that collect their data.

the fact that credit agencies charge for reports that they’re required to give free demonstrates pretty clearly who the agency thinks owns that data. It’s an antiquated position.

the Facebook brouhaha doesn’t reflect badly on Facebook. The ensuing debate, however, reflects a misunderstanding of basic privacy principles .

And the assertion that the Privacy Principles are good for business has been shown repeatedly in this country, where a segment of consumers deliberately avoid doing business with American companies, or Canadian companies that do business with American companies out of fears over privacy. One of the largest banks in this country changed it’s data storage and credit reporting agencies because of consumer pressure. They were using a US entity. They’re not any more.

Call them slogans or rants if you like, but these four principles capture the elements of modern privacy legislation. They are practical, balanced, and working well in many nations. They’re simply not the norm in the US at this point in time.

When I said you had “no right” I wasn’t taking a stance. That’s simply a statement of fact. As Facebook’s rules stand today, you don’t have the right under the terms of their license or in law to remove your friend list. Whether you SHOULD have that right is a different issue. My view on that is that the individuals who have befriended you should be the ultimate decision makers.

And yes, you can send me a birthday greeting. It’s January 27… a few weeks from now ;)

I’m always a bit concerned of anything that frames itself within the “Web 2.0” banner. Many of these principles are modifications of basic privacy concepts that have been growing offline for years. These have typically been framed to include some or all of the following: notice, choice, access and security.

While sloganeering and sweeping examples can lead to sweeping change – they can often lead to poor policy and bad decision making (“mushroom clouds” and “Mission Accomplished” come to mind). Take the definition of Personal information – which “includes any factual or subjective information, recorded or not, in any form, about an individual.” Really? So whether or not Bill Gates attended a conference (or which oil company executive attended meetings at the White House), is his “personal information”? I don’t think so.

In addition, some of the examples are just “off”. The fact that credit companies charge for copies of your credit report ignores the fact that Federal law requires them to provide you with a free copy. Further, the Facebook example, while annoying and frustrating does not show the “disregard many corporations have for customersâ€™ privacy.” As noted later in the post, facebook did exactly what they said they would do.

Finally, where did the statement that “Not only are the four principles of the Privacy Manifesto good for individuals, theyâ€™re good for business” come from? I didn’t see anything about this in the post. The use of data by big and small companies around the world has been growing for decades. Simply throwing out a list of items that would drastically limit the use of data and saying that it is good for business is, at best, wishful thinking – and ultimately harmful to making some real change happen.

I applaud the effort and passion that appears to be behind the Manifesto. Indeed, the more discussion around these types of issues – the better off we will all be. However, I would hope that we can use all the work that has been conducted over many years in the creation of laws in numerous countries to develop a sensible approach that balances the real need for consumers to protect their privacy and the obvious economic concerns of business and consumers (as noted previously, like it or not, there is a real benefit to consumers in many cases). I think the real challenge (and opportunity) is to begin to gather different companies to talk about these issues – and how we can turn rants, posts and manifestos and existing frameworks and laws into something actionable.

This post and the subsequent discussion becomes more topical because I just read that Facebook, Google and Plaxo have decided to join DataPortability.org. So in principle at least data can now migrate from one place to another. The question is which data and who can port it. So Manifesto or Miss Manners (see my previous comment) becomes all the more critical.

I am afraid that there are practical difficulties in making these principles to work when the social network is really distributed. Let me explain because those difficulties apply to the general case well. In the distributed case that I have implemented, I decide which information I am willing to share it with you. As part of the normal course, you can retrieve that information and use it subsequently (email in particular). Then only Miss Manners prevents you from spreading that information further. In other words, when the information is really distributed, the agreements are between the two individuals and I think only social norms can enforce the privacy manifesto and we know how much it is enforced in our carbon life.

Let me now focus on normal scenarios where third parties are involved. Supposing that I develop an utility that I run on my PC and it can “scrape” data as received by the browser, processes it and stores in another location which broadcasts to the whole world. Now I use it whenever I visit Facebook. Am I violating their TOS? How will they even know it? Will the Manifesto help me? I feel here again the only hope is Miss Manners.

Manifesto is helpful if only a limited number of third parties, that too commercial enterprises are involved.

I agree with your point about tightly defined rights to a certain extent. My view is that a few key principles ought to be enough to allow people to make intelligent decisions about how to handle privacy situations. And although other countries have legal regimes built around personal privacy, I don’t see any signs of that happening soon in the US. Hence the need for the market to define what those rights should be, and the value of Scoble’s stunt in causing that discussion to take place.

Moreover, most of us already agree to terms of service when signing up for a web site, and that’s where the cookie permissions and others should be embedded. It’s the sites which cookie without telling users, even in the TOS, that are the dangerous ones.

The business card standard, by the way, is codified in law in Canada. Information that would ordinarily be publicly accessible on a business card can be collected and reused. Otherwise, for example, telephone directories would require you to opt in.

Alec, your four principles as appealing but in their current form may be as unworkable. Requiring explicit consent before leaving a cookie or changing a privacy policy will most likely result in so many “by checking this box you agree to our 18 page terms and conditions” that users will mindlessly “agree” the same way they agree to all the fine print on the back of a car rental contract. Look what happened to HIPAA in the U.S. where every patient routinely waives his or her privacy rights in order to allow the provider to bill the insurance company. We may need to settle for a more tightly defined set of rights that can not be waived, such as the absolute right for a person to be granted access to all information about him or her, and to be able to correct erroneous information.

With respect to the Scoble/Facebook/Plaxo incident, Facebook is free to prohibit certain activities and Scoble is free to protest through words and deeds. (I doubt many people would support sending Scoble to jail for disobeying an edict from Mark Zuckerberg.) Ultimately the market will sort out what is acceptable which is what appears to be happening in this case. In the end, Social Networking Services which aren’t open will perish as certainly as did closed email systems. The more difficult problem is to define who owns the “business card” information that forms the nodes of the social graph. Some people have the romantic notion that they should be able to control how this information is used after they give it to someone, but whether Scoble uploads it to Plaxo or merely writes it on the back of his hand with a Sharpie is just a matter of degree. Better to have laws restricting what one can do with it, e.g. sending Spam, than trying to control where a recipient stores it.

Scoble has no right to that data, unfortunately. The license that each individual user of Facebook grants is to Facebook, not to the other users, notably their friends. Moreover, each user agrees to be bound by Facebook’s TOS. Friend or no, he can’t simply scrape the information up.

Some sort of transitive model is required, I agree. Not only that, I agree that it’s even desirable to have this kind of model. But as a Facebook user, I am happiest that Facebook chose to stick by their legal obligation to me, as stated in their TOS.

Some of the principles are definitely part of AttentionTrust.org. The difficulty I have with AttentionTrust is really in defining what attention data is. It’s far easier for me, and I suspect most people, to think in terms of personal information.

And by the way, I suspect that some of these principles could be realized with your proposals to distribute this information, no?

You’re right that user data and profiles are all that a social network has. However, even today Facebook acknowledges that it doesn’t own that data. As a Facebook user, you own your own data, and grant a license to Facebook so that it may perform the services of Facebook on your behalf. Facebook is clearly a money making enterprise. So I don’t believe that it’s necessarily a requirement for them to own my data, but rather it’s a requirement that I permit them to host my data.

Alec,
Since you are from Canada (as am I), it looks like you are using the Canada privacy rules as a base and they are a good start.

I must disagree with your interpretation regarding the Scoble incident.
This was not Facebook sharing our data with 3rd parties. This was not Plaxo trying to acquire our information.
This was Scoble trying to do something with his “Friends” data. I would argue that when you “friend” someone in a social network setting, their is an implied permission to the other person to connect with you. After all Scoble has access to every friends email address on their profile page. As long as Scoble is using those email address to connect with his friends (even if on a different service), I argue that he is well within his permissions.
Individuals need to take some responsibility when giving access to their personal data. I think people who “friend” others need to consider the consequences of giving people access to our information. If you don’t want people to use it, then don’t “friend” them or in Facebook set limit their access using the privacy settings.

As said I agree with the privacy policy. I recently had all my usage data deleted from a social media site that suddenly had all private names indexed so that your own name and profile would appear top in the Google search list. This without any notification or opt out for users. These kind of practices are completely unacceptable imo.

Another interesting example was a recent riot in Germany when Xing (a German/European version of Linked-In) started advertising on customer profile pages. After a lot of protests and media attention Xing reversed its decision.

However it poses some very interesting challenges to social media sites, because user data and profiles are all they have got and if they can not monetize them how should they make money?

I think it’s very clear that users are willing to surrender some privacy in order to gain access to free services. Look at Google and their adsense model. At this point in time, however, the user has no control over their personal information once that privacy has been surrendered. What is my recourse if I decide I no longer want the service but the service provider doesn’t wish to return my personal information to me? Or worse yet, has sold my personal information to another party?

re: “Fair Use” — legally, here in Canada, the only “fair use”, or public domain, personal information is the information you might find on a business card. Everything else is deemed personal. That may be too restrictive, but it seems that reasonable people ought to be able to agree on a standard set of data that might be exchangeable.

re: linkage — we shouldn’t confuse identity and privacy. They are separate. Personal information should be mine and mine alone to dictate how it is used. Identity information must be shared. Even the link state is my personal information, and not identity. I could choose not to share that information without compromising identity, and it’s desirable in some circumstances to not share that information.

As we all know a lot of internet sites and services are free and funded by advertising or some other form of business model based on visits and user data or profiles.

So if users will gain full control of their data, will they be willing to start paying for these services? Or will we see a model where users will permit certain use of their data in return for services?

I think the comparison to copyright highlights some of the difficulties that privacy has with the internet and society in general. To make more of the analogy, you are faced with ambiguity around ownership and use. Take medical information for example. The data is about you, but it reflects the intellectual efforts of the doctor. I can understand the doctor not wanting to relinquish this for “free” nor be compelled to delete it. However, since this data is intimately connected to a person, it would be almost slanderous to use it in a harmful manner, hence we have codified social norms like HIPA to literally act like personal information copyright contracts. But I think there is more, there is also a gray area similar to “fair use” where both sides might be privy to some implicit rights to the data, e.g. I can use test results for a second opinion.
Medical information is not the only example. Phone numbers and domains are commercial property. There has to be a balance as these assets can not be stripped from their current owners (telco’s, ISPs, etc) without due consequences. Conversely, egregious abuse by these corporate stewards can not go unchecked, something that a free market has many methods of doing. The sticky point here, where analogies tend to fall apart, is that unlike copyright, ownership here has a direct impact on identity. IMHO, it is actually an unfortunate artificial consequence that something used to aide a transaction takes on such overbearing importance. In the US the Social Security Number is such an example of simple data point cum identity going astray. It is this strong linkage between the asset an you as a person that causes the problem. Alec’s proposal is a good step forward, but we all need to also consider these components divested from its gestalt issue.
Taking the linkage problem one step further, I would like to treat the Facebook issue separately. Again, from a strictly identity perspective, the notion of my social graph containing such a large vector of information like Alec’s birth date, phone number, shoe size, etc…, is in direct violation of some very good identity principles set by Kim Cameron and others in the identity community (namely, only divulge the least amount of information necessary to complete the transaction). Clearly the link state (that of Alec being a Facebook friend) is the the important piece of data where the portability discussion needs to occur in this particular instance. Dragging in the other pieces of data (or is it meta data in this case ;-) only exasperates the ownership issues highlighted above which have been concealed by such broad strokes in the conversation thus far.

Hmmm…Plaxo’s past appears from here to be its present: I logged
rejected spam from them six days ago. And as far as I can tell —
from monitoring a pretty decent cross-section of anti-spam mailing
lists, newsgroups and web sites, they haven’t bothered to consult
with the people who are arguably the leading experts in the field.
Nor have they taken one of the fundamental steps required to
rehabilitate their reputation: publicly apologizing.

So, yes, I’m very, very skeptical. I hope you’re right; it would
be nice to see the world’s first example of an ex-spammer. But
experience (long bitter experience) suggests that this is unlikely.

I wouldn’t care to defend Plaxo’s past. There’s no doubt that they were egregious spammers in their early days. However, in the development of our own company’s privacy policy I:
– engaged academics in the field
– researched privacy policies of various companies
– interviewed chief privacy officers at various companies, including companies like Plaxo who were known as violators.

Plaxo’s policy is probably one of the best I’ve seen. It makes substantive guarantees, and states them in plain language. At this point, I’ll cut them some slack, because they look to me like they’re doing all the right things. Their biggest problem right now is public perception, and unfortunately the stunt with Robert Scoble doesn’t help that.

Viktor – you’re right that both copyright and privacy are about control of data. They’re different, however, in that as individuals we’re not trying to build business around the sale of our personal data. The music industry, by comparison, is actively working on having me consume their product.

While reading the article I realized that privacy and copyright are basically the same question: Someone owns something that became extremely easy to steal.

In the case of copyright, the music industry own the informational good (that is digitized music), and the users would like to “steal” it (resample and/or download).

In the case of privacy the individuals own their informational good (that is their privacy), and the industry would like to “misuse” it (share it with third parties, and abuse the users based on the information it has).

Interestingly though, it seems that today we would like to give different answers to these two questions:
* copyright: the music industry should change itself as the video gaming industry did 30 years ago, and it should focus on the experience of its customers to survive, but should allow music lowers to produce (and resample or download?) their own music. (http://gigaom.com/2008/01/07/what-the-video-arcade-tells-us-about-the-recording-industry/)
* privacy: the web2.0 industry should change itself , and it should restrict himself from using our data as it own property

One reason behind the different answers might be the relation of costs and benefits. Seemingly we think that the music industry will survive (and even flourish) and that intellectual property is less stringent than “privacy property”. That is, it is more costly for the society to abuse someone’s private life than someone’s intellectual products.

But one might ask the question the other way around, and for the moment we don’t know who is right. That is, the music industry is fine today (just like we are with our privacy), and wants to save its property. On the other hand it’s the listener who should adopt, and focus on

I think this seems to be reasonable, but not obvious, and as such the point should be made clearly.